When investigating a story, journalists seek answers to the five Ws and one H: who, what, when, why, where, and how. Similarly, regulators are now requiring organizations to more explicitly share the details of a breach by specifying notification content.
In most U.S. states, the first wave of data breach notification laws did not typically specify what information must be included in a notice to affected individuals. More recently, however, we’ve seen an emergence of notification content requirements as states amend their general breach notification statutes. In 2019, six states added this specificity: Delaware, Massachusetts, New Jersey, New York (SHIELD Act), Ohio, and South Carolina.
For example, the New York SHIELD Act now requires breached organizations to include “the telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information.”
The Nitty-Gritty Details of Notification Content
When faced with a potential breach, a primary goal of any privacy professional is to help those individuals affected by the incident. This is why states are now requiring organizations to provide more specific detail to the public on how to protect their credit, request a security freeze on their credit, or obtain a police report.
Notification content typically includes information such as:
- The date, estimated date, or estimated date range of the security breach.
- A description of the personal information believed to have been acquired as part of the security breach.
- Information that the resident can use to contact the covered entity to inquire about the security breach.
- The toll-free numbers, addresses, and websites for consumer reporting agencies, along with how to place a credit freeze on an account if an individual’s Social Security number (SSN) was breached.
- The toll-free number, address, and website for the Federal Trade Commission (FTC).
- A statement that the resident can obtain information from the FTC and credit reporting agencies about fraud alerts and security freezes.
- A description of the actions taken by the covered entity to restore the security and confidentiality of the personal information involved in the breach.
The Federal Trade Commission recommends consulting with law enforcement about what information to include so the notification content doesn’t interfere with the investigation. The FTC also suggests providing information about the law enforcement agency working on the breach, if the agency agrees doing so would help.
It’s critical to remember that, in addition to affected individuals, you have multiple reporting obligations in some instances to state agencies, credit reporting agencies, and the media as well. Meanwhile, some state jurisdictions are mute on the point of what needs to be included. In the event of a breach across state lines, there is additional complexity in assuring that the letters produced and sent out sufficiently meet the nuanced jurisdictional requirements.
Notification Content for International Breaches
If a breach crosses national borders, you’ll also need to consider notification requirements for each country or region’s jurisdiction. For example, the GDPR has specific content requirements for notifying the supervisory authority and data subjects, including:
- The nature of the personal data breach including the categories and the approximate number of data subjects concerned and the categories, and the approximate number of personal data records concerned.
- The name and contact information of the data protection officer or other contact where more information can be obtained.
- The likely consequences of the personal data breach.
- The measures taken or proposed to be taken by the controller to address the personal data breach, including measures to mitigate its possible adverse effects.
Why This Trend Matters to Privacy and Security Teams
New notification content legislation is generally intended to keep notifications consistent and individuals fully informed. However, these types of changes can add complexity to the privacy incident response process, especially in the case of a single breach spanning multiple states.
Templates for notification letters can provide that consistency, as long as the templates are adapted to meet each jurisdiction’s content requirements. Organizations should create a proactive plan for notification that meets all agency, jurisdictional, and contractual obligations—including the decision to handle notifications internally or outsource them. Privacy automation with always-compliant and customizable notification templates can cut the complexity and help you meet notification deadlines.
Breached organizations have an obligation to educate individuals about the significance of a breach and provide resources to protect themselves if they have been put at risk of harm. Your privacy and security teams will find that both what you say—and the manner in which you say it—are critical to staying compliant with state, federal, and international laws.
Stay tuned for the next post in this series, in which we discuss the fourth (and final) regulatory trend: requirement to notify the state attorney general. In the meantime, you can:
- Read the first two blog posts in the series: The Expanding Scope of Personal Information and Increasing Specificity in Notification Timelines.
- Download the free ebook: Trends in Changing Data Breach Notification Laws 2020.